How to read an OpenSSL cipher suite list

Jeff asked:

hMailserver is an open source Window e-mail server. For incoming e-mail it supports STARTTLS with the help of OpenSSL 1.1.1.
It allows configuring the cipher suites, the default is:


I wanted to disable AES256-GCM-SHA384 but after removing it, the cipher suite was still offered for STARTTLS (according to test site

In the end I had to remove AES128, AES256 and HIGH to stop AES256-GCM-SHA384 from appearing on STARTTLS.

How should I read this OpenSSL configuration setting? On the last line AES128 en AES256 are mentioned standalone. Doesn’t this mean that any cipher with AES128 or AES256 will be allowed making the long list before that quite redundant?
The same goes for the HIGH, doesn’t that make mentioning a lot of the other cipher suites redundant?

My answer:

You tried to disable a mandatory cipher suite for TLS 1.3, while TLS 1.3 was enabled, thus OpenSSL ignored the request.

If you want to disable this cipher suite, you must also disable TLS 1.3 (which it seems you did by removing HIGH).

You should not be attempting to do this at all. You should instead ask about whatever problem you had that led to this as a possible solution, so that something reasonable can be found. Unless, of course, you really mean to disable TLS 1.3.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.